2020-08-21 16:48:16 +02:00
[![GitHub release ](https://img.shields.io/github/release/docker/login-action.svg?style=flat-square )](https://github.com/docker/login-action/releases/latest)
2020-08-15 14:45:36 +02:00
[![GitHub marketplace ](https://img.shields.io/badge/marketplace-docker--login-blue?logo=github&style=flat-square )](https://github.com/marketplace/actions/docker-login)
2022-12-19 20:34:47 +01:00
[![CI workflow ](https://img.shields.io/github/actions/workflow/status/docker/login-action/ci.yml?branch=master&label=ci&logo=github&style=flat-square )](https://github.com/docker/login-action/actions?workflow=ci)
[![Test workflow ](https://img.shields.io/github/actions/workflow/status/docker/login-action/test.yml?branch=master&label=test&logo=github&style=flat-square )](https://github.com/docker/login-action/actions?workflow=test)
2020-08-21 16:48:16 +02:00
[![Codecov ](https://img.shields.io/codecov/c/github/docker/login-action?logo=codecov&style=flat-square )](https://codecov.io/gh/docker/login-action)
2020-08-15 14:45:36 +02:00
## About
2020-08-21 16:48:16 +02:00
GitHub Action to login against a Docker registry.
2020-08-15 14:45:36 +02:00
2020-08-21 16:48:16 +02:00
![Screenshot ](.github/docker-login.png )
2020-08-15 14:57:48 +02:00
2020-08-15 14:45:36 +02:00
___
* [Usage ](#usage )
2020-12-11 07:15:35 +01:00
* [Docker Hub ](#docker-hub )
2020-09-01 20:38:53 +02:00
* [GitHub Container Registry ](#github-container-registry )
2020-08-15 15:38:12 +02:00
* [GitLab ](#gitlab )
2020-08-21 16:29:54 +02:00
* [Azure Container Registry (ACR) ](#azure-container-registry-acr )
* [Google Container Registry (GCR) ](#google-container-registry-gcr )
2020-10-23 16:30:05 +02:00
* [Google Artifact Registry (GAR) ](#google-artifact-registry-gar )
2020-08-21 16:29:54 +02:00
* [AWS Elastic Container Registry (ECR) ](#aws-elastic-container-registry-ecr )
2020-12-11 07:15:35 +01:00
* [AWS Public Elastic Container Registry (ECR) ](#aws-public-elastic-container-registry-ecr )
2020-11-10 16:19:17 +01:00
* [OCI Oracle Cloud Infrastructure Registry (OCIR) ](#oci-oracle-cloud-infrastructure-registry-ocir )
2021-03-26 22:58:30 +01:00
* [Quay.io ](#quayio )
2024-03-27 13:44:28 +01:00
* [DigitalOcean ](#digitalocean-container-registry )
2024-11-26 01:53:15 +01:00
* [Buildkite Packages ](#buildkite-package-registry )
2020-08-15 14:45:36 +02:00
* [Customizing ](#customizing )
* [inputs ](#inputs )
2024-05-28 10:01:29 +02:00
* [Contributing ](#contributing )
2020-08-15 14:45:36 +02:00
## Usage
2020-12-11 07:15:35 +01:00
### Docker Hub
2020-08-15 15:38:12 +02:00
2023-09-12 10:19:49 +02:00
When authenticating to [Docker Hub ](https://hub.docker.com ) with GitHub Actions,
use a [personal access token ](https://docs.docker.com/docker-hub/access-tokens/ ).
Don't use your account password.
2020-09-10 18:31:33 +02:00
2020-08-15 15:38:12 +02:00
```yaml
name: ci
on:
push:
2021-12-02 15:54:50 +01:00
branches: main
2020-08-15 15:38:12 +02:00
jobs:
login:
runs-on: ubuntu-latest
steps:
-
2020-12-11 07:15:35 +01:00
name: Login to Docker Hub
2023-09-12 10:19:49 +02:00
uses: docker/login-action@v3
2020-08-15 15:38:12 +02:00
with:
2024-10-02 14:29:58 +02:00
username: ${{ vars.DOCKERHUB_USERNAME }}
2020-09-10 18:31:33 +02:00
password: ${{ secrets.DOCKERHUB_TOKEN }}
2020-08-15 15:38:12 +02:00
```
2020-09-01 20:38:53 +02:00
### GitHub Container Registry
2023-09-12 10:19:49 +02:00
To authenticate to the [GitHub Container Registry ](https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry ),
use the [`GITHUB_TOKEN` ](https://docs.github.com/en/actions/reference/authentication-in-a-workflow )
secret.
2020-08-15 15:38:12 +02:00
```yaml
name: ci
on:
push:
2021-12-02 15:54:50 +01:00
branches: main
2020-08-15 15:38:12 +02:00
jobs:
login:
runs-on: ubuntu-latest
steps:
-
2020-09-01 20:38:53 +02:00
name: Login to GitHub Container Registry
2023-09-12 10:19:49 +02:00
uses: docker/login-action@v3
2020-09-01 20:38:53 +02:00
with:
registry: ghcr.io
2021-07-06 20:32:11 +02:00
username: ${{ github.actor }}
2021-03-24 23:23:59 +01:00
password: ${{ secrets.GITHUB_TOKEN }}
2020-09-01 20:38:53 +02:00
```
2021-08-10 10:27:51 +02:00
You may need to [manage write and read access of GitHub Actions ](https://docs.github.com/en/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions#upgrading-a-workflow-that-accesses-ghcrio )
for repositories in the container settings.
2021-03-24 23:23:59 +01:00
You can also use a [personal access token (PAT) ](https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token )
with the [appropriate scopes ](https://docs.github.com/en/packages/getting-started-with-github-container-registry/migrating-to-github-container-registry-for-docker-images#authenticating-with-the-container-registry ).
2020-09-01 20:38:53 +02:00
### GitLab
```yaml
name: ci
on:
push:
2021-12-02 15:54:50 +01:00
branches: main
2020-09-01 20:38:53 +02:00
jobs:
login:
runs-on: ubuntu-latest
steps:
2020-08-15 15:38:12 +02:00
-
name: Login to GitLab
2023-09-12 10:19:49 +02:00
uses: docker/login-action@v3
2020-08-15 15:38:12 +02:00
with:
registry: registry.gitlab.com
2024-10-02 14:29:58 +02:00
username: ${{ vars.GITLAB_USERNAME }}
2020-08-15 15:38:12 +02:00
password: ${{ secrets.GITLAB_PASSWORD }}
2020-08-15 14:45:36 +02:00
```
2023-09-12 10:19:49 +02:00
If you have [Two-Factor Authentication ](https://gitlab.com/help/user/profile/account/two_factor_authentication )
enabled, use a [Personal Access Token ](https://gitlab.com/help/user/profile/personal_access_tokens )
instead of a password.
2023-05-30 08:20:21 +02:00
2020-08-21 16:29:54 +02:00
### Azure Container Registry (ACR)
[Create a service principal ](https://docs.microsoft.com/en-us/azure/container-registry/container-registry-auth-service-principal#create-a-service-principal )
with access to your container registry through the [Azure CLI ](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli )
2023-09-12 10:19:49 +02:00
and take note of the generated service principal's ID (also called _client ID_ )
and password (also called _client secret_ ).
2020-08-21 16:29:54 +02:00
```yaml
name: ci
on:
push:
2021-12-02 15:54:50 +01:00
branches: main
2020-08-21 16:29:54 +02:00
jobs:
login:
runs-on: ubuntu-latest
steps:
-
name: Login to ACR
2023-09-12 10:19:49 +02:00
uses: docker/login-action@v3
2020-08-21 16:29:54 +02:00
with:
registry: < registry-name > .azurecr.io
2024-10-02 14:29:58 +02:00
username: ${{ vars.AZURE_CLIENT_ID }}
2020-08-21 16:29:54 +02:00
password: ${{ secrets.AZURE_CLIENT_SECRET }}
```
> Replace `<registry-name>` with the name of your registry.
2020-08-20 15:59:36 +02:00
### Google Container Registry (GCR)
2023-09-12 10:19:49 +02:00
> [Google Artifact Registry](#google-artifact-registry-gar) is the evolution of
> Google Container Registry. As a fully-managed service with support for both
> container images and non-container artifacts. If you currently use Google
> Container Registry, use the information [on this page](https://cloud.google.com/artifact-registry/docs/transition/transition-from-gcr)
2020-10-23 16:30:05 +02:00
> to learn about transitioning to Google Artifact Registry.
2023-09-12 10:19:49 +02:00
You can authenticate with workload identity federation or a service account.
2021-12-02 15:54:50 +01:00
2023-09-12 10:19:49 +02:00
#### Workload identity federation
2021-12-02 15:54:50 +01:00
2023-09-12 10:19:49 +02:00
Configure the workload identity federation for GitHub Actions in Google Cloud,
[see here ](https://github.com/google-github-actions/auth#setting-up-workload-identity-federation ).
Your service account must have permission to push to GCR. Use the
`google-github-actions/auth` action to authenticate using workload identity as
shown in the following example:
2021-12-02 15:54:50 +01:00
```yaml
name: ci
on:
push:
branches: main
jobs:
login:
runs-on: ubuntu-latest
steps:
2023-09-12 10:19:49 +02:00
-
name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@v1
2021-12-02 15:54:50 +01:00
with:
2023-09-12 10:19:49 +02:00
token_format: access_token
workload_identity_provider: < workload_identity_provider >
service_account: < service_account >
-
name: Login to GCR
uses: docker/login-action@v3
2021-12-02 15:54:50 +01:00
with:
registry: gcr.io
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }}
```
2023-09-12 10:19:49 +02:00
> Replace `<workload_identity_provider>` with configured workload identity
> provider. For steps to configure, [see here](https://github.com/google-github-actions/auth#setting-up-workload-identity-federation).
2021-12-02 15:54:50 +01:00
2023-09-12 10:19:49 +02:00
> Replace `<service_account>` with configured service account in workload
> identity provider which has access to push to GCR
2021-12-02 15:54:50 +01:00
#### Service account based authentication
2023-09-12 10:19:49 +02:00
Use a service account with permission to push to GCR and [configure access control ](https://cloud.google.com/container-registry/docs/access-control ).
Download the key for the service account as a JSON file. Save the contents of
the file [as a secret ](https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets#creating-encrypted-secrets-for-a-repository )
2024-10-02 14:15:12 +02:00
named `GCR_JSON_KEY` in your GitHub repository. Set the username to `_json_key` .
2020-08-20 15:59:36 +02:00
```yaml
name: ci
on:
push:
2021-12-02 15:54:50 +01:00
branches: main
2020-08-20 15:59:36 +02:00
jobs:
login:
runs-on: ubuntu-latest
steps:
-
name: Login to GCR
2023-09-12 10:19:49 +02:00
uses: docker/login-action@v3
2020-08-20 15:59:36 +02:00
with:
registry: gcr.io
username: _json_key
password: ${{ secrets.GCR_JSON_KEY }}
```
2020-10-23 16:30:05 +02:00
### Google Artifact Registry (GAR)
2023-09-12 10:19:49 +02:00
You can authenticate with workload identity federation or a service account.
2021-12-02 15:54:50 +01:00
2023-09-12 10:19:49 +02:00
#### Workload identity federation
2021-12-02 15:54:50 +01:00
2024-04-04 17:17:07 +02:00
Your service account must have permission to push to GAR. Use the
`google-github-actions/auth` action to authenticate using workload identity as
shown in the following example:
2021-12-02 15:54:50 +01:00
```yaml
name: ci
on:
push:
branches: main
jobs:
login:
runs-on: ubuntu-latest
steps:
2023-09-12 10:19:49 +02:00
-
name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@v1
2021-12-02 15:54:50 +01:00
with:
2023-09-12 10:19:49 +02:00
token_format: access_token
workload_identity_provider: < workload_identity_provider >
service_account: < service_account >
-
name: Login to GAR
uses: docker/login-action@v3
2021-12-02 15:54:50 +01:00
with:
registry: < location > -docker.pkg.dev
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }}
```
2023-09-12 10:19:49 +02:00
> Replace `<workload_identity_provider>` with configured workload identity
> provider
> Replace `<service_account>` with configured service account in workload
> identity provider which has access to push to GCR
2021-12-02 15:54:50 +01:00
> Replace `<location>` with the regional or multi-regional [location](https://cloud.google.com/artifact-registry/docs/repo-organize#locations)
> of the repository where the image is stored.
#### Service account based authentication
2023-09-12 10:19:49 +02:00
Use a service account with permission to push to GAR and [configure access control ](https://cloud.google.com/artifact-registry/docs/access-control ).
Download the key for the service account as a JSON file. Save the contents of
the file [as a secret ](https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets#creating-encrypted-secrets-for-a-repository )
2024-04-04 17:17:07 +02:00
named `GAR_JSON_KEY` in your GitHub repository. Set the username to `_json_key` ,
2021-12-19 22:44:48 +01:00
or `_json_key_base64` if you use a base64-encoded key.
2020-10-23 16:30:05 +02:00
```yaml
name: ci
on:
push:
2021-12-02 15:54:50 +01:00
branches: main
2020-10-23 16:30:05 +02:00
jobs:
login:
runs-on: ubuntu-latest
steps:
-
name: Login to GAR
2023-09-12 10:19:49 +02:00
uses: docker/login-action@v3
2020-10-23 16:30:05 +02:00
with:
registry: < location > -docker.pkg.dev
username: _json_key
password: ${{ secrets.GAR_JSON_KEY }}
```
> Replace `<location>` with the regional or multi-regional [location](https://cloud.google.com/artifact-registry/docs/repo-organize#locations)
> of the repository where the image is stored.
2020-08-20 15:59:36 +02:00
### AWS Elastic Container Registry (ECR)
2020-12-17 20:21:48 +01:00
Use an IAM user with the ability to [push to ECR with `AmazonEC2ContainerRegistryPowerUser` managed policy for example ](https://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr_managed_policies.html#AmazonEC2ContainerRegistryPowerUser ).
2023-09-12 10:19:49 +02:00
Download the access keys and save them as `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` [as secrets ](https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets#creating-encrypted-secrets-for-a-repository )
2020-08-20 15:59:36 +02:00
in your GitHub repo.
```yaml
name: ci
on:
push:
2021-12-02 15:54:50 +01:00
branches: main
2020-08-20 15:59:36 +02:00
jobs:
login:
runs-on: ubuntu-latest
steps:
-
name: Login to ECR
2023-09-12 10:19:49 +02:00
uses: docker/login-action@v3
2020-08-20 15:59:36 +02:00
with:
registry: < aws-account-number > .dkr.ecr.< region > .amazonaws.com
2024-10-02 14:29:58 +02:00
username: ${{ vars.AWS_ACCESS_KEY_ID }}
2020-08-20 15:59:36 +02:00
password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
```
2023-09-12 10:19:49 +02:00
If you need to log in to Amazon ECR registries associated with other accounts,
you can use the `AWS_ACCOUNT_IDS` environment variable:
2020-12-16 21:53:24 +01:00
```yaml
name: ci
on:
push:
2021-12-02 15:54:50 +01:00
branches: main
2020-12-16 21:53:24 +01:00
jobs:
login:
runs-on: ubuntu-latest
steps:
-
name: Login to ECR
2023-09-12 10:19:49 +02:00
uses: docker/login-action@v3
2020-12-16 21:53:24 +01:00
with:
registry: < aws-account-number > .dkr.ecr.< region > .amazonaws.com
2024-10-02 14:29:58 +02:00
username: ${{ vars.AWS_ACCESS_KEY_ID }}
2020-12-16 21:53:24 +01:00
password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
env:
2020-12-17 20:21:48 +01:00
AWS_ACCOUNT_IDS: 012345678910,023456789012
2020-12-16 21:53:24 +01:00
```
> Only available with [AWS CLI version 1](https://docs.aws.amazon.com/cli/latest/reference/ecr/get-login.html)
2023-09-12 10:19:49 +02:00
You can also use the [Configure AWS Credentials ](https://github.com/aws-actions/configure-aws-credentials )
action in combination with this action:
2020-10-20 14:41:56 +02:00
```yaml
name: ci
on:
push:
2021-12-02 15:54:50 +01:00
branches: main
2020-10-20 14:41:56 +02:00
jobs:
login:
runs-on: ubuntu-latest
steps:
-
name: Configure AWS Credentials
2023-09-12 10:19:49 +02:00
uses: aws-actions/configure-aws-credentials@v4
2020-10-20 14:41:56 +02:00
with:
2024-10-02 14:29:58 +02:00
aws-access-key-id: ${{ vars.AWS_ACCESS_KEY_ID }}
2020-10-20 14:41:56 +02:00
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: < region >
-
name: Login to ECR
2023-09-12 10:19:49 +02:00
uses: docker/login-action@v3
2020-10-20 14:41:56 +02:00
with:
registry: < aws-account-number > .dkr.ecr.< region > .amazonaws.com
```
2020-08-20 15:59:36 +02:00
> Replace `<aws-account-number>` and `<region>` with their respective values.
2020-12-11 07:15:35 +01:00
### AWS Public Elastic Container Registry (ECR)
2023-09-12 10:19:49 +02:00
Use an IAM user with permission to push to ECR Public, for example using [managed policies ](https://docs.aws.amazon.com/AmazonECR/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-AmazonEC2ContainerRegistryPowerUser ).
Download the access keys and save them as `AWS_ACCESS_KEY_ID` and
`AWS_SECRET_ACCESS_KEY` [secrets ](https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets#creating-encrypted-secrets-for-a-repository )
in your GitHub repository.
2020-12-11 07:15:35 +01:00
```yaml
name: ci
on:
push:
2021-12-02 15:54:50 +01:00
branches: main
2020-12-11 07:15:35 +01:00
jobs:
login:
runs-on: ubuntu-latest
steps:
-
name: Login to Public ECR
2023-09-12 10:19:49 +02:00
uses: docker/login-action@v3
2020-12-11 07:15:35 +01:00
with:
registry: public.ecr.aws
2024-10-02 14:29:58 +02:00
username: ${{ vars.AWS_ACCESS_KEY_ID }}
2020-12-11 07:15:35 +01:00
password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
env:
AWS_REGION: < region >
```
> Replace `<region>` with its respective value (default `us-east-1`).
2020-11-10 16:19:17 +01:00
### OCI Oracle Cloud Infrastructure Registry (OCIR)
2020-12-16 21:53:24 +01:00
2020-11-10 16:19:17 +01:00
To push into OCIR in specific tenancy the [username ](https://www.oracle.com/webfolder/technetwork/tutorials/obe/oci/registry/index.html#LogintoOracleCloudInfrastructureRegistryfromtheDockerCLI )
2020-12-16 21:53:24 +01:00
must be placed in format `<tenancy>/<username>` (in case of federated tenancy use the format
`<tenancy-namespace>/oracleidentitycloudservice/<username>` ).
For password [create an auth token ](https://www.oracle.com/webfolder/technetwork/tutorials/obe/oci/registry/index.html#GetanAuthToken ).
Save username and token [as a secrets ](https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets#creating-encrypted-secrets-for-a-repository )
in your GitHub repo.
2020-11-10 16:19:17 +01:00
```yaml
name: ci
on:
push:
2021-12-02 15:54:50 +01:00
branches: main
2020-11-10 16:19:17 +01:00
jobs:
login:
runs-on: ubuntu-latest
steps:
-
name: Login to OCIR
2023-09-12 10:19:49 +02:00
uses: docker/login-action@v3
2020-11-10 16:19:17 +01:00
with:
registry: < region > .ocir.io
2024-10-02 14:29:58 +02:00
username: ${{ vars.OCI_USERNAME }}
2020-11-10 16:19:17 +01:00
password: ${{ secrets.OCI_TOKEN }}
```
2020-12-16 21:53:24 +01:00
2020-11-10 16:19:17 +01:00
> Replace `<region>` with their respective values from [availability regions](https://docs.cloud.oracle.com/iaas/Content/Registry/Concepts/registryprerequisites.htm#Availab)
2021-03-26 19:37:33 +01:00
### Quay.io
2023-09-12 10:19:49 +02:00
Use a [Robot account ](https://docs.quay.io/glossary/robot-accounts.html ) with
permission to push to a Quay.io repository.
2021-03-26 19:37:33 +01:00
```yaml
name: ci
on:
push:
2021-12-02 15:54:50 +01:00
branches: main
2021-03-26 19:37:33 +01:00
jobs:
login:
runs-on: ubuntu-latest
steps:
-
name: Login to Quay.io
2023-09-12 10:19:49 +02:00
uses: docker/login-action@v3
2021-03-26 19:37:33 +01:00
with:
registry: quay.io
2024-10-02 14:29:58 +02:00
username: ${{ vars.QUAY_USERNAME }}
2021-03-26 19:37:33 +01:00
password: ${{ secrets.QUAY_ROBOT_TOKEN }}
```
2024-03-27 13:44:28 +01:00
### DigitalOcean Container Registry
Use your DigitalOcean registered email address and an API access token to authenticate.
```yaml
name: ci
on:
push:
branches: main
jobs:
login:
runs-on: ubuntu-latest
steps:
-
name: Login to DigitalOcean Container Registry
uses: docker/login-action@v3
with:
registry: registry.digitalocean.com
2024-10-02 14:29:58 +02:00
username: ${{ vars.DIGITALOCEAN_USERNAME }}
2024-03-27 13:44:28 +01:00
password: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
```
2024-11-25 13:13:53 +01:00
### Buildkite Package Registry
Use your Buildkite registered email address and an API access token to authenticate.
```yaml
name: ci
on:
push:
branches: main
jobs:
login:
runs-on: ubuntu-latest
steps:
-
name: Login to Buildkite Package Registry
uses: docker/login-action@v3
with:
registry: packages.buildkite.com
username: buildkite #All usernames to buildkite packages is "buildkite". Ref https://buildkite.com/docs/package-registries
password: ${{ secrets.BUILDKITE_ACCESS_TOKEN }}
```
Scope required:
```
read_registries
write_registries
read_packages
write_packages
```
2020-08-15 14:45:36 +02:00
## Customizing
### inputs
2023-09-12 10:19:49 +02:00
The following inputs can be used as `step.with` keys:
2020-08-15 14:45:36 +02:00
2023-09-12 10:19:49 +02:00
| Name | Type | Default | Description |
|------------|--------|---------|-------------------------------------------------------------------------------|
| `registry` | String | | Server address of Docker registry. If not set then will default to Docker Hub |
| `username` | String | | Username for authenticating to the Docker registry |
| `password` | String | | Password or personal access token for authenticating the Docker registry |
| `ecr` | String | `auto` | Specifies whether the given registry is ECR (`auto`, `true` or `false` ) |
| `logout` | Bool | `true` | Log out from the Docker registry at the end of a job |
2020-08-15 14:45:36 +02:00
2024-05-28 10:01:29 +02:00
## Contributing
2020-08-20 17:31:36 +02:00
2024-05-28 10:01:29 +02:00
Want to contribute? Awesome! You can find information about contributing to
this project in the [CONTRIBUTING.md ](/.github/CONTRIBUTING.md )